Channels

Services

Google offers larger rewards to vulnerability hunters

Following a drop in the number of external researchers reporting security holes, Google has announced that it will be increasing some of the bounties paid as part of its Vulnerability Rewards Program. The program, which first launched in early 2010, pays security researchers for discovering and reporting holes in the company's browsers and in Chromium OS, the open source branch of the minimalist Chrome OS Linux-based operating system built around the Chrome web browser.

Google Software Engineer Chris Evans says that the fall in externally reported security issues signalled that "bugs are becoming harder to find, as the efforts of the wider community have made Chromium significantly stronger". Because of this, the company is updating the reward structure to include additional bonuses of $1,000 or more on top of the standard bounties.

These bonuses will be awarded on top of the base reward for "particularly exploitable" issues, bugs found in the Stable channel of the software code bases, and serious vulnerabilities that affect a wider range of products such as the open source libraries used in Chromium. As Chrome and Chromium bundle Adobe Flash, the company is offering rewards for Flash vulnerabilities; issues found in other components used by its products, such as the Linux kernel, are also eligible for the rewards program.

Evans notes that the panel will also reward impressive individual reports; these include high or critical vulnerabilities in NVIDIA, ATI and Intel GPU drivers, local privilege escalation problems, 64-bit security bugs, and renderer to browser exploits. The software engineer goes on to point out that there hasn't been a serious hole discovered in the IJG libjpeg library used by Google in more than a decade, saying "Can one be found?"

The program's base reward for eligible security holes is $500 and goes up to $3,133.37 for a "particularly severe" vulnerability. However in the past Google has also paid out bounties of $10,000 for special individual bugs. According to Evans, the program has so far paid out more than $1 million to external researchers for reporting bugs. The company's other Safe Browsing bug bounty program pays up to $20,000 for problems found in its web apps and in services such as YouTube and Blogger.